I would be happy to be proven wrong, but it's unlikely the amount of effort
this will incur will be worth the small number of sites that will use it
(large sites probably won't, and small sites, as usual, won't even know
about it's existence). In addition, it's going to be such a fragile
security
1. How are keyup/down/press restrictions useful for password protection?
Actually they seem more useful for CSRF instead.
2. How is the tainting problem simplified by focusing on write only?
3. How is tagging the credential as write-only help with the secure
deployment of a site-wide CSP policy?
On Thu, Oct 16, 2014 at 11:59 AM, Mike West mk...@google.com wrote:
On Thu, Oct 16, 2014 at 10:36 AM, Eduardo' Vela Nava e...@google.com
wrote:
1. How are keyup/down/press restrictions useful for password protection?
Actually they seem more useful for CSRF instead.
These events are some
On Thu, Oct 16, 2014 at 3:07 PM, Mike West mk...@google.com wrote:
On Thu, Oct 16, 2014 at 12:16 PM, Eduardo' Vela Nava e...@google.com
wrote:
On Thu, Oct 16, 2014 at 11:59 AM, Mike West mk...@google.com wrote:
On Thu, Oct 16, 2014 at 10:36 AM, Eduardo' Vela Nava e...@google.com
wrote
Yea the keyup/down/press restrictions are definitely not useful, at least
for password protection since the user has clearly no way to know if the
field is safe or not.
The tainting is never gonna work reliably and consistently as Michal hinted
(say, a blob: URL would run in the same origin but
On Tue, May 13, 2014 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
On Mon, 12 May 2014, Eduardo' Vela\ Nava wrote:
On Mon, May 12, 2014 at 4:17 PM, Ian Hickson i...@hixie.ch wrote:
Note that there _is_ still a content type check with appcache, it's
just done on the first few bytes
Thanks!
Just to ensure this wasn't lost in the thread.
What about X-Content-Type-Options: nosniff?
Could we formalize it and remove the X and disable sniffing all together?
On Tue, May 13, 2014 at 12:06 PM, Ian Hickson i...@hixie.ch wrote:
On Tue, 13 May 2014, Eduardo' Vela\ Nava wrote
(for context [tests]
http://philip.html5.org/tests/ie8/cases/content-type-nosniff.html)
On Tue, May 13, 2014 at 1:06 PM, Ian Hickson i...@hixie.ch wrote:
On Tue, 13 May 2014, Eduardo' Vela\ Nava wrote:
Thanks!
Just to ensure this wasn't lost in the thread.
What about X-Content-Type-Options: nosniff?
Could we formalize it and remove the X and disable sniffing all
(for the sake of completeness)
On Tue, May 13, 2014 at 12:06 PM, Ian Hickson i...@hixie.ch wrote:
On Tue, 13 May 2014, Eduardo' Vela\ Nava wrote:
I agree that you're less likely to be able to control the headers. But
I don't think that's enough. A big part of the reason that authors
If CSS, JS and plugins had magic numbers at the beginning of the file, then
that would prevent the issues that you are discussing right?
I think that's Ian's point, that for those file types, we need CT, but for
others, like manifest files, and image and plugins we shouldn't need.
PDFs, and JARs
So today, we need CT for JSONP and CSV. Those are the ones we *need* CT.
The idea is to train the browser to recognize the CTs of formats that are
ambiguous.
On Tue, May 13, 2014 at 8:26 PM, Michal Zalewski lcam...@coredump.cxwrote:
I think that's Ian's point, that for those file types, we
@Ian, is there a way to find out what was the Content-Type that the authors
that complained were getting?
Hopefully we can figure out a list of Content-Types that are unlikely to
cause security problems?
On Tue, May 13, 2014 at 8:32 PM, Eduardo' Vela Nava e...@google.comwrote:
So today, we
Hi!
In the following bug:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=14701the Content-Type
requirement for AppCache manifest files was dropped, and
the security implications of such change probably weren't fully understood
at that time, and we want to start a discussion on this topic to
On Mon, May 12, 2014 at 4:17 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 12 May 2014, Eduardo' Vela\ Nava wrote:
Now, with appcache manifest files, we are introducing a
security-sensitive change based on a file with special powers (more on
this later), and while before they were guarded
15 matches
Mail list logo